Windows VPN Connection Errors — Error 800, 809, 628 and L2TP/IPsec Issues

Overview

Fix Windows built-in VPN connection errors including Error 800 (tunnel failed), Error 809 (blocked ports), and L2TP/IPsec NAT traversal failures.

Key Details

• Windows supports built-in VPN protocols: IKEv2, SSTP, L2TP/IPsec, and PPTP
• Error 800: VPN tunnel could not be established (server unreachable or connection refused)
• Error 809: network connection between computer and VPN server could not be established (blocked ports)
• Error 628: connection was terminated by the remote computer before it could be completed
• L2TP/IPsec requires UDP ports 500 and 4500 for NAT traversal

Common Causes

• VPN server address incorrect or server not responding
• Firewall blocking VPN ports (UDP 500, 4500 for L2TP; TCP 443 for SSTP)
• Pre-shared key mismatch between client and VPN server
• NAT device between client and server not supporting IPsec passthrough
• Windows VPN client behind double NAT causing L2TP failures

Steps

1. 1Verify VPN server address and test connectivity: ping or telnet to the server address
2. 2For L2TP behind NAT: add registry key AssumeUDPEncapsulationContextOnSendRule=2 (DWORD) at HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
3. 3Check firewall: ensure UDP 500, 4500 (L2TP) or TCP 443 (SSTP) are open
4. 4Verify pre-shared key matches the server configuration exactly
5. 5Try IKEv2 or SSTP protocol instead of L2TP if NAT traversal issues persist
6. 6Restart IPsec service: net stop ikeext && net start ikeext && net stop PolicyAgent && net start PolicyAgent

Tags

Related Items

More in Network

Frequently Asked Questions